News & media > News >


Vanessa Bouchara

Updated on May 28, 2021

The National Commission for Information Technology and Civil Liberties, known as the “CNIL”, is an independent administrative authority created in 1978 by the law “Informatique et Libertés” of January 6, 1978 relating to data processing, files and freedoms, amended on numerous occasions in order to comply with the General Data Protection Regulation known as “RGPD” (Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data).


he CNIL ensures in particular that personal data on the Internet are well protected, and that the processing of these personal data respects the individual freedoms and fundamental rights of the persons to whom the data belong.

Rights protected

The transmission of personal data is very often done on the Internet.

From filling out registration forms to simple clicks, organizations collect an enormous amount of information about users, which is why the Data Protection Act, particularly following the changes imposed by the RGPD, has provided for several rights of the Internet user to ensure, among other things :

  • The right of access: allows to ask the person in charge of a file which holds information on an Internet user to communicate all the data that it holds on him.
  • The right of rectification: allows an Internet user to request the rectification of inaccurate information concerning him or her.
  • The right to information: allows a user to obtain concise and readable information on how his data is processed and how to assert his rights.
  • The right to object: allows the Internet user to object to his data being distributed, transmitted, stored, and to being included in a file.
  • The right to erasure: allows the user to request the deletion of his data held by an organization when :
        • The data is used for prospecting purposes ;
        • The data is not necessary for the purposes of the collection/processing ;
        • The consent is withdrawn ;
        • The processing is unlawful ;
        • Data was collected when the individual was a minor ;
        • The data must be deleted in compliance with a legal obligation ; or
        • An objection has been made and the person in charge has no legitimate or compelling reason to retain them.
  • The right to dereferencing: Allows you to request the dereferencing of a web page associated with your name.
  • The right of access to police, gendarmerie, intelligence, tax administration files: allows access to data concerning us in these files.

Missions of the CNIL

The CNIL has several missions which derive from the Law ”  Informatique et Libertés ” and the RGPD, including:

  • Examination of complaints, reports or disputes submitted to it for behaviour that does not comply with the Law ” Informatique et Libertés ” or the RGPD. The CNIL may also be required to carry out control missions. These two procedures may result in sanctions being imposed on operators.

It has the power to impose various sanctions : warning, injunction, or financial penalty which can amount to up to 4% of the company’s turnover or 20 million euros.

For example, it has initiated a sanction procedure against the company ” Cdiscount “, for lack of security of online banking data and serious breaches.

The company ” Cdiscount ” had indeed kept 4000 bank details in an unsecured way.

The CNIL thus issued a public warning on September 20, 2016 (Deliberation No. 2016-265) and gave formal notice on September 26, 2016 (Deliberation No. 2016-083) to the company Cdiscount.

The press group PRISMA MEDIA has also been sanctioned by the CNIL for non-compliance with the regulations on email prospecting (Deliberation n°2015-155 of June 1, 2015).

The company did not systematically or sufficiently inform Internet users registered on the group’s newsletter list of the publications they would receive.

The CNIL has given the press group formal notice to cease its actions. Since they have continued, the CNIL has imposed a fine of 15000€ on PRISMA MEDIA.

In November 2020, two of the Carrefour Group’s companies were also sanctioned for numerous violations of the RGPD including in particular a violation relating to the length of time personal data are kept (Deliberation of the restricted panel n°SAN-2020-008 and n°SAN-2020-009 of November 18, 2020 concerning the company CARREFOUR FRANCE).

To this end, the Carrefour companies have been fined 2, 250 ,000 euros and 800 ,000 euros respectively.

In this case, it was because of numerous complaints filed by consumers that the CNIL conducted examinations of the Carrefour companies to verify the proper handling of their customer’s personal data.

The CNIL did not need to issue an injunction because the Carrefour companies quickly complied.

  • Anticipation by monitoring the Internet and social networks to detect and analyze the consequences that new technologies and their uses may have on private life. She reflects on the ethical and social issues raised by the evolution of digital technologies.

As part of its anticipatory mission, the CNIL will verify that companies do not collect data without having made the necessary declarations, that the consent of the persons whose data is collected is well collected for the transmission of these data to third parties, for sending advertisements by SMS, etc … (OPT IN/OPT OUT).

  • The examination of bills and decrees submitted to it for opinion by the Government. It was thus brought to give its opinion on the bill for a “Digital Republic” of Mrs Lemaire for example. This law extends the prerogatives of the CNIL by creating new rights for citizens, and therefore new regulatory missions for the CNIL.

General recommendations

Companies that collect user data must be very vigilant and :

  • Make the necessary declarations ;
  • Solicit the consent of the persons whose data is collected for the transmission of their data to third parties, or for the sending of advertisements by SMS for example ;
  • Publish the legal notice and their personal data policy on their website ;
  • Provide users with the opportunity to effectively exercise their right to access and modify their data ;
  • Ensure that emails sent to users always include the option to unsubscribe.

Recent news

The availability of the sign

Updated on 07/01/2021

To be registered as a trademark, the chosen sign must, in addition to being lawful and distinctive, be available (…)

Under what circumstances can a competitor lawfully use a third party’s trademark on the Internet?

Updated on 16/12/2021

The trademark has the power to unite a customer base. Impulsively, instinctively, thoughtlessly. Sometimes, blind (…)

Unauthorized use of third-party photographs

Updated on 12/24/2021

The photographs are considered, according to the article L.112-2 9° of the Code of the intellectual property as being works of the spirit.

The use of a third party’s product in an advertisement: the Courts’ assessment of the incidental character.

Updated on 23/12/2021

Advertisers frequently use third-party products in their ads that are copyrighted creations.